iOS 11 removed "Integrated" Apps like Facebook and Twitter, due to availability of share sheets.

iOS 11 removed ability for apps to access MAC addresses of devices on the same Wi-Fi network), due to privacy abuses by apps. Since iOS 7, apps can't access the MAC address of the user device.

WebKit (iOS 11 & Mac OS) has new protections against HSTS Fingerprinting, due to in-the-wild abuses.

Open Questions:

As always there is basic system info available similar to what any
web page can access: IP address, HTTP headers, etc. Many of these are
low entropy or can be changed by the user through various means, but
it may be possible to combine enough for a reasonable identification.
Or for reasonable enough correlation for cross-device tracking.

It appears that apps can only get enhanced information about a Wi-Fi
hotspot with a special entitlement from Apple (it's not clear to the
layperson exactly what information). However, there does appear to be
a way to obtain network name of the current Wi-Fi network, which
is a problem because it can allow location tracking and therefore
also correlations to other people or sensitive places.

There are apps in the app store that show system information like
uptime, battery level, disk size and usage, memory size and usage,
network usage, LAN IP address, etc. These became more restricted
in iOS 9 and iOS 10, but is there any review, entitlement, or other
mechanism to keep access to these system elements out of typical app
or app 3rd-party code?

Is accelerometer and gyroscope data available to apps freely, or does
it require "Motion and Fitness" access?

What uses exist of persistent data stores by apps, or by apps across
an app group, that survive app (or app group) deletion? Are there any
persistent data stores that survive device erase and restore, that
can be accessed by an app after restore?

Are there any other fingerprinting vectors or open questions?

In general, what remaining device fingerprinting privacy / security vulnerabilities still exist as of iOS 11, particularly those that have no user settings or user actions that can thwart them?